X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=docs%2Fcert_installation.rst;h=bb03f0ac0f93284b2b7477fdc2b534a447306d2e;hb=refs%2Fheads%2Fmaster;hp=8e665c2b551eb1527541e1a1eb2328619cf9b99e;hpb=3f42311634b3a2b25dee786fecb3d83f94e419e4;p=sdnc%2Foam.git

diff --git a/docs/cert_installation.rst b/docs/cert_installation.rst
index 8e665c2b..bb03f0ac 100644
--- a/docs/cert_installation.rst
+++ b/docs/cert_installation.rst
@@ -95,12 +95,13 @@ Once you have this downloaded you need to go the following location.
 
 	*/oam/installation/src/main/yaml*
 
-Once you are there you need to edit the docker-compose.yaml file to include your directory where you have the zip file and certs.properties located. 
+Once you are there you need to edit the docker-compose.yaml file to map the zip file and certs.properties file into the container. 
 
 You need to add in the following lines into the yaml file just below *container_name: sdnc_controller_container* in the file::
 
 	volumes:
-	  - <Your_Workspace>:/opt/opendaylight/current/certs
+ 	  - <Your_Workspace>/certs.properties:/opt/opendaylight/certs/certs.properties
+	  - <Your_Workspace>/keys0.zip:/opt/opendaylight/certs/keys0.zip
 
 Once you have the mount path for your files added into the yaml file you can run the following command::
 
@@ -156,7 +157,102 @@ You must also send this as the body of the request::
      </node>
 
 
-where IP-ADDRESS is the ip-address you are trying to mount the pnf-simulator on. 
+where IP-ADDRESS is the ip-address you are trying to mount the pnf-simulator on.
+
+
+
+
+New secure communication functionality
+=================================================================================
+
+In order to ensure secure communication on southband interface a new functionality have been introduced. The Certificate Management Protocol ver. 2 (CMPv2) is handled by the AAF microservice CertService.
+
+SDNC is capable of obtaining certificates signed by an external Certificate Authority to secure external ONAP communication.
+
+Confirmation of this functionality can be performed in OOM using the Contrib projects EJBCA service.
+
+Firstly, CertService will need to be deployed. This will require the global flag *global.cmpv2Enabled* to be set to true in *kubernetes/onap/resources/overrides/aaf-cert-service-environment.yaml*
+
+There is also an additional module that will need to be deployed named platform. This is required for secret creation.
+
+To deploy the EJBCA server the global flag *global.addTestingComponents* in  *kubernetes/onap/values.yaml* will need to be set to true. This flag will load the test configuration from *kubernetes/aaf/charts/aaf-cert-service/resources/test/cmpServers.json*
+
+
+
+cmpServers.json:
+
+.. code-block:: json
+
+    {
+      "cmpv2Servers": [
+        {
+          "caName": "Client",
+          "url": "http://aafcert-ejbca:8080/ejbca/publicweb/cmp/cmp",
+          "issuerDN": "CN=ManagementCA",
+          "caMode": "CLIENT",
+          "authentication": {
+            "iak": "mypassword",
+            "rv": "mypassword"
+          }
+        },
+        {
+          "caName": "RA",
+          "url": "http://aafcert-ejbca:8080/ejbca/publicweb/cmp/cmpRA",
+          "issuerDN": "CN=ManagementCA",
+          "caMode": "RA",
+          "authentication": {
+            "iak": "mypassword",
+            "rv": "mypassword"
+          }
+        }
+      ]
+    }
+
+
+
+SDNC invokes the CertService in a new initContainer called certs-init.
+
+There are a number of variables used that can be configured and these are available in *kubernetes/onap/values.yaml* under aaf/certServiceClient
+
+
+
+CertService configuration:
+
+.. code-block:: yaml
+
+ aaf:
+    certServiceClient:
+      image: onap/org.onap.aaf.certservice.aaf-certservice-client:1.0.0
+      secret:
+        name: aaf-cert-service-client-tls-secret
+        mountPath: /etc/onap/aaf/certservice/certs/
+      envVariables:
+        # Certificate related
+        cmpv2Organization: "Linux-Foundation"
+        cmpv2OrganizationalUnit: "ONAP"
+        cmpv2Location: "San-Francisco"
+        cmpv2State: "California"
+        cmpv2Country: "US"
+        # Client configuration related
+        caName: "RA"
+        requestURL: "https://aaf-cert-service:8443/v1/certificate/"
+        requestTimeout: "20000"
+        keystorePath: "/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks"
+        keystorePassword: "secret"
+        truststorePath: "/etc/onap/aaf/certservice/certs/truststore.jks"
+        truststorePassword: "secret"
+
+
+
+
+For more information:
+
++------------------------------------------------------------------------------------------+
+|https://onap-doc.readthedocs.io/en/latest/submodules/aaf/certservice.git/docs/index.html  |
++------------------------------------------------------------------------------------------+
+|https://doc.primekey.com/ejbca                                                            |
++------------------------------------------------------------------------------------------+
+